An examination of the specifics of each incident cites several reasons by the covered entities for not providing the requested records, including:
- Complete failure to respond
- Withholding records because of nonpayment
- Misunderstanding the scope of a durable power of attorney
- Employee misunderstanding of HIPAA right of access
These actions by OCR illustrate that HIPAA compliance is about ensuring the privacy of patients’ protected health information (PHI) and providing patients with access to their health records in a timely manner.
Illinois Podiatry Practice Hit with $100,000 HIPAA Fine
OCR lowered the boom on ACPM Podiatry, based in Peoria, Illinois, with a $100,000 fine for HIPAA right of access violations. According to OCR, the agency provided ACPM with written technical assistance regarding the Privacy Rule’s right of access standard and closed the matter.
Following a second complaint from the same individual alleging ACPM had still not provided the requested records, OCR sent multiple requests for information, a Letter of Opportunity, and a Notice of Proposed Determination. After all of OCR’s attempts at communication were unsuccessful, the agency issued a Letter of Final Determination and a $100,000 civil monetary penalty.
New York Eye Practice is Too Late to Prevent $22,500 Settlement
Associated Retina Specialists, an ophthalmology practice in New York City, waited five months to respond to a patient’s request for her medical records. By that time, OCR’s investigation into the matter had been going on for three days. Associated Retina agreed to take corrective action and pay $22,500 to settle a potential violation of the HIPAA Privacy Rule right of access standard.